US10474541B2 - Optimized savepoint during database recovery - Google Patents

Abstract

Recovery of a database system can be initiated by taking the database system offline. Thereafter, recovery operations specified by a redo log of the database system are replayed. During the replaying, updates to pages implicated by the recovery operations are blocked. In parallel, modified pages are flushed to physical disk storage. The database is later brought online after all of the recovery operations are replayed.

Description

TECHNICAL FIELD

The subject matter described herein relates to enhanced techniques for database recovery that asynchronously executes savepoints during database recovery.

BACKGROUND

Database systems are susceptible to failure for a variety of reasons including both software and hardware related issues. As a result, recovery logs that record various operations performed by such database systems have been adopted. These recovery logs record various actions performed by the database systems which can be later replayed, if needed, as part of a recovery operation. The point at which a transaction can be rolled back to can be referred to as a savepoint. If an error occurs in the midst of a multiple-statement transaction, the database system can recover from the error by rolling back to a most recent savepoint without needing to abort the entire transaction.

SUMMARY

In a first aspect, recovery of a database system can be initiated by taking the database system offline. Thereafter, recovery operations specified by a redo log of the database system are replayed. During the replaying, updates to pages implicated by the recovery operations are blocked. In parallel, modified pages are flushed to physical disk storage. The database is later brought online after all of the recovery operations are replayed.

Pages modified earlier than a pre-defined time threshold can be flushed to physical disk storage once such pre-defined time threshold is exceeded.

The database system can include an in-memory database storing data in main memory. The database system can include a primary database system and an associated secondary database system such that read statements are routed to the secondary database system until such time as a result lag between the primary database system is beyond a pre-defined lag threshold relative to the secondary database system. Both of the primary database system and the associated secondary database system can be in-memory databases storing data in main memory.

During the replaying, any remaining I/O operations can be triggered during blocking of the parallel updates to the pages implicated by the recovery operations.

The modified pages can be flushed using a continuous disk flusher. The continuous disk flusher can be a thread that runs in a defined time interval and which flushes all modified pages that are not modified for a defined time threshold.

Non-transitory computer program products (i.e., physically embodied computer program products) are also described that store instructions, which when executed by one or more data processors of one or more computing systems, cause at least one data processor to perform operations herein. Similarly, computer systems are also described that may include one or more data processors and memory coupled to the one or more data processors. The memory may temporarily or permanently store instructions that cause at least one processor to perform one or more of the operations described herein. In addition, methods can be implemented by one or more data processors either within a single computing system or distributed among two or more computing systems. Such computing systems can be connected and can exchange data and/or commands or other instructions or the like via one or more connections, including but not limited to a connection over a network (e.g., the Internet, a wireless wide area network, a local area network, a wide area network, a wired network, or the like), via a direct connection between one or more of the multiple computing systems, etc.

The subject matter described herein provides many technical advantages. For example, the current subject matter provides more rapid database recovery by more rapidly executing a savepoint on a secondary database system to avoid blocking log replay which, in turn, allows the secondary database system to perform the log replay at a same or similar speed as a corresponding primary database system.

The details of one or more variations of the subject matter described herein are set forth in the accompanying drawings and the description below. Other features and advantages of the subject matter described herein will be apparent from the description and drawings, and from the claims.

DESCRIPTION OF DRAWINGS

FIG. 1 is a system diagram illustrating an example database system for use in connection with the current subject matter;

FIG. 2 is a system diagram illustrating an example database system that can support distribution of server components across multiple hosts for scalability and/or availability purposes for use in connection with the current subject matter;

FIG. 3 is a diagram illustrating an architecture for an index server for use in connection with the current subject matter;

FIG. 4 is a functional flow diagram illustrating an architecture to support load balancing between a primary database system and a secondary database system;

FIG. 5 is a functional flow diagram depicting one example solution to managing load balancing in a HA/DR system for use in connection with the current subject matter; and

FIG. 6 is a process flow diagram illustrating optimized savepoints during database recovery.

Like reference symbols in the various drawings indicate like elements.

DETAILED DESCRIPTION

The current subject matter is directed to enhanced techniques for database recovery. In particular, the current subject matter is directed to database recovery in which savepoints are asynchronously executed thereby enabling more rapid recovery of the database system.

FIG. 1 is a diagram100 illustrating adatabase system105 that can be used to implement aspects of the current subject matter. Thedatabase system105 can, for example, be an in-memory database in which all relevant data is kept in main memory so that read operations can be executed without disk I/O and in which disk storage is required to make any changes durables. Thedatabase system105 can include a plurality of servers including, for example, one or more of anindex server110, aname server115, and/or anapplication server120. Thedatabase system105 can also include one or more of an extendedstore server125, a database deployment infrastructure (DDI)server130, adata provisioning server135, and/or astreaming cluster140. Thedatabase system105 can be accessed by a plurality ofremote clients145,150 via different protocols such as SQL/MDX (by way of the index server110) and/or web-based protocols such as HTTP (by way of the application server120).

Theindex server110 can contain in-memory data stores and engines for processing data. Theindex server110 can also be accessed by remote tools (via, for example, SQL queries), that can provide various development environment and administration tools. Additional details regarding an example implementation of theindex server110 is described and illustrated in connection with diagram300 ofFIG. 3.

Thename server115 can own information about the topology of thedatabase system105. In a distributed database system, thename server115 can know where various components are running and which data is located on which server. In adatabase system105 with multiple database containers, thename server115 can have information about existing database containers and it can also hosts the system database. For example, thename server115 can manage the information about existing tenant databases. Unlike aname server115 in a single-container system, thename server115 in adatabase system105 having multiple database containers does not store topology information such as the location of tables in a distributed database. In amulti-container database system105 such database-level topology information can be stored as part of the catalogs of the tenant databases.

Theapplication server120 can enable native web applications used by one or moreremote clients150 accessing thedatabase system105 via a web protocol such as HTTP. Theapplication server120 can allow developers to write and run various database applications without the need to run an additional application server. Theapplication server120 can also used to run web-basedtools155 for administration, life-cycle management and development. Other administration anddevelopment tools160 can directly access theindex server110 for, example, via SQL and other protocols.

The extendedstore server125 can be part of a dynamic tiering option that can include a high-performance disk-based column store for very big data up to the petabyte range and beyond. Less frequently accessed data (for which is it non-optimal to maintain in main memory of the index server110) can be put into theextended store server125. The dynamic tiering of theextended store server125 allows for hosting of very large databases with a reduced cost of ownership as compared to conventional arrangements.

TheDDI server130 can be a separate server process that is part of a database deployment infrastructure (DDI). The DDI can be a layer of thedatabase system105 that simplifies the deployment of database objects using declarative design time artifacts. DDI can ensure a consistent deployment, for example by guaranteeing that multiple objects are deployed in the right sequence based on dependencies, and by implementing a transactional all-or-nothing deployment.

Thedata provisioning server135 can provide enterprise information management and enable capabilities such as data provisioning in real time and batch mode, real-time data transformations, data quality functions, adapters for various types of remote sources, and an adapter SDK for developing additional adapters.

The streamingcluster140 allows for various types of data streams (i.e., data feeds, etc.) to be utilized by thedatabase system105. The streamingcluster140 allows for both consumption of data streams and for complex event processing.

FIG. 2 is a diagram200 illustrating a variation of thedatabase system105 that can support distribution of server components across multiple hosts for scalability and/or availability purposes. Thisdatabase system105 can, for example, be identified by a single system ID (SID) and it is perceived as one unit from the perspective of an administrator, who can install, update, start up, shut down, or backup the system as a whole. The different components of thedatabase system105 can share the same metadata, and requests fromclient applications150 can be transparently dispatched to different servers1101-3,1201-3, in the system, if required.

As is illustrated inFIG. 2, the distributeddatabase system105 can be installed on more than one host210_1-3. Each host210_1-3is a machine that can comprise at least one data processor (e.g., a CPU, etc.), memory, storage, a network interface, and an operation system and which executes part of thedatabase system105. Each host210_1-3can execute a database instance220_1-3which comprises the set of components of the distributeddatabase system105 that are installed on one host210_1-3.FIG. 2 shows a distributed system with three hosts, which each run aname server110_1-3,index server120_1-3, and so on (other components are omitted to simplify the illustration).

FIG. 3 is a diagram300 illustrating an architecture for the index server110 (which can, as indicated above, be one of many instances). A connection andsession management component302 can create and manage sessions and connections for theclient applications150. For each session, a set of parameters can be maintained such as, for example, auto commit settings or the current transaction isolation level.

Requests from theclient applications150 can be processed and executed by way of a request processing andexecution control component310. Thedatabase system105 offers rich programming capabilities for running application-specific calculations inside the database system. In addition to SQL, MDX, and WIPE, thedatabase system105 can provide different programming languages for different use cases. SQLScript can be used to write database procedures and user defined functions that can be used in SQL statements. The L language is an imperative language, which can be used to implement operator logic that can be called by SQLScript procedures and for writing user-defined functions.

Once a session is established,client applications150 typically use SQL statements to communicate with theindex server110 which can be handled by aSQL processor312 within the request processing andexecution control component310. Analytical applications can use the multidimensional query language MDX (MultiDimensional eXpressions) via anMDX processor322. For graph data, applications can use GEM (Graph Query and Manipulation) via aGEM processor316, a graph query and manipulation language. SQL statements and MDX queries can be sent over the same connection with theclient application150 using the same network communication protocol. GEM statements can be sent using a built-in SQL system procedure.

Theindex server110 can include anauthentication component304 that can be invoked with a new connection with aclient application150 is established. Users can be authenticated either by thedatabase system105 itself (login with user and password) or authentication can be delegated to an external authentication provider. Anauthorization manager306 can be invoked by other components of thedatabase system105 to check whether the user has the required privileges to execute the requested operations.

Each statement can processed in the context of a transaction. New sessions can be implicitly assigned to a new transaction. Theindex server110 can include atransaction manager344 that coordinates transactions, controls transactional isolation, and keeps track of running and closed transactions. When a transaction is committed or rolled back, thetransaction manager344 can inform the involved engines about this event so they can execute necessary actions. Thetransaction manager344 can provide various types of concurrency control and it can cooperate with apersistence layer346 to achieve atomic and durable transactions.

Incoming SQL requests from theclient applications150 can be e received by theSQL processor312. Data manipulation statements can be executed by theSQL processor312 itself. Other types of requests can be delegated to the respective components. Data definition statements can be dispatched to ametadata manager306, transaction control statements can be forwarded to thetransaction manager344, planning commands can be routed to aplanning engine318, and task related commands can forwarded to a task manager324 (which can be part of a larger task framework) Incoming MDX requests can be delegated to theMDX processor322. Procedure calls can be forwarded to theprocedure processor314, which further dispatches the calls, for example to acalculation engine326, theGEM processor316, arepository300, or aDDI proxy328.

Theindex server110 can also include aplanning engine318 that allows planning applications, for instance for financial planning, to execute basic planning operations in the database layer. One such basic operation is to create a new version of a data set as a copy of an existing one while applying filters and transformations. For example, planning data for a new year can be created as a copy of the data from the previous year. Another example for a planning operation is the disaggregation operation that distributes target values from higher to lower aggregation levels based on a distribution function.

TheSQL processor312 can include an enterprise performance management (EPM)runtime component320 that can form part of a larger platform providing an infrastructure for developing and running enterprise performance management applications on thedatabase system105. While theplanning engine318 can provide basic planning operations, the EPM platform provides a foundation for complete planning applications, based on by application-specific planning models managed in thedatabase system105.

Thecalculation engine326 can provide a common infrastructure that implements various features such as SQLScript, MDX, GEM, tasks, and planning operations. TheSQLScript processor312, theMDX processor322, theplanning engine318, thetask manager324, and theGEM processor316 can translate the different programming languages, query languages, and models into a common representation that is optimized and executed by thecalculation engine326. Thecalculation engine326 can implement those features usingtemporary results340 which can be based, in part, on data within therelational stores332.

Metadata can be accessed via themetadata manager component306. Metadata, in this context, can comprise a variety of objects, such as definitions of relational tables, columns, views, indexes and procedures. Metadata of all these types can be stored in one common database catalog for all stores. The database catalog can be stored in tables in arow store336 forming part of a group ofrelational stores332. Other aspects of thedatabase system105 including, for example, support and multi-version concurrency control can also be used for metadata management. In distributed systems, central metadata is shared across servers and themetadata manager306 can coordinate or otherwise manage such sharing.

Therelational stores332 form the different data management components of theindex server110 and these relational stores can, for example, store data in main memory. Therow store336, acolumn store338, and afederation component334 are all relational data stores which can provide access to data organized in relational tables. Thecolumn store338 can stores relational tables column-wise (i.e., in a column-oriented fashion, etc.). Thecolumn store338 can also comprise text search and analysis capabilities, support for spatial data, and operators and storage for graph-structured data. With regard to graph-structured data, from an application viewpoint, thecolumn store338 could be viewed as a non-relational and schema-flexible in-memory data store for graph-structured data. However, technically such a graph store is not a separate physical data store. Instead it is built using thecolumn store338, which can have a dedicated graph API.

Therow store336 can stores relational tables row-wise. When a table is created, the creator can specify whether it should be row or column-based. Tables can be migrated between the two storage formats. While certain SQL extensions are only available for one kind of table (such as the “merge” command for column tables), standard SQL can be used on all tables. Theindex server110 also provides functionality to combine both kinds of tables in one statement (join, sub query, union).

Thefederation component334 can be viewed as a virtual relational data store. Thefederation component334 can provide access to remote data in external data source system(s)354 through virtual tables, which can be used in SQL queries in a fashion similar to normal tables.

Thedatabase system105 can include an integration of anon-relational data store342 into theindex server110. For example, thenon-relational data store342 can have data represented as networks of C++ objects, which can be persisted to disk. Thenon-relational data store342 can be used, for example, for optimization and planning tasks that operate on large networks of data objects, for example in supply chain management. Unlike therow store336 and thecolumn store338, thenon-relational data store342 does not use relational tables; rather, objects can be directly stored in containers provided by thepersistence layer346. Fixed size entry containers can be used to store objects of one class. Persisted objects can be loaded via their persisted object IDs, which can also be used to persist references between objects. In addition, access via in-memory indexes is supported. In that case, the objects need to contain search keys. The in-memory search index is created on first access. Thenon-relational data store342 can be integrated with thetransaction manager344 to extends transaction management with sub-transactions, and to also provide a different locking protocol and implementation of multi version concurrency control.

An extended store is another relational store that can be used or otherwise form part of thedatabase system105. The extended store can, for example, be a disk-based column store optimized for managing very big tables, which ones do not want to keep in memory (as with the relational stores332). The extended store can run in anextended store server125 separate from theindex server110. Theindex server110 can use thefederation component334 to send SQL statements to theextended store server125.

Thepersistence layer346 is responsible for durability and atomicity of transactions. Thepersistence layer346 can ensure that thedatabase system105 is restored to the most recent committed state after a restart and that transactions are either completely executed or completely undone. To achieve this goal in an efficient way, thepersistence layer346 can use a combination of write-ahead logs, undo and cleanup logs, shadow paging and savepoints. Thepersistence layer346 can provide interfaces for writing and reading persisted data and it can also contain a logger component that manages a recovery log. Recovery log entries can be written in the persistence layer346 (in recovery log volumes352) explicitly by using a log interface or implicitly when using the virtual file abstraction. Therecovery log volumes352 can include redo logs which specify database operations to be replayed whereasdata volume350 contains undo logs which specify database operations to be undone as well as cleanup logs of committed operations which can be executed by a garbage collection process to reorganize the data area (e.g. free up space occupied by deleted data etc.)

Thepersistence layer346 stores data inpersistent disk storage348 which, in turn, can includedata volumes350 and/orrecovery log volumes352 that can be organized in pages. Different page sizes can be supported, for example, between 4 k and 16M. Data can be loaded from thedisk storage348 and stored to disk page wise. For read and write access, pages can be loaded into a page buffer in memory. The page buffer need not have a minimum or maximum size, rather, all free memory not used for other things can be used for the page buffer. If the memory is needed elsewhere, least recently used pages can be removed from the cache. If a modified page is chosen to be removed, the page first needs to be persisted todisk storage348. While the pages and the page buffer are managed by thepersistence layer346, the in-memory stores (i.e., the relational stores332) can access data within loaded pages.

In many applications, data systems may be required to support operations on a 24/7 schedule, and data system providers may be required to guarantee a minimum amount of downtime, that is time during which a system is not able to fully support ongoing operations. When a system is required to ensure an agreed level of operational performance, it may be referred to as a high availability system (“HA”). One solution to guarantee substantially continuous uptime with no, or very little, downtime is to maintain one or more hot-standby systems. A hot-standby system, or a backup system, is a system that may be activated quickly in the event of a disruption causing one or more functions of a primary operational data system to fail. Such a disruption may be referred to as a disaster, and the process of restoring a data system to full operations may be referred to as disaster-recovery (“DR”).

A hot-standby system may be an exact replica of a primary operational system that is capable of providing all the functions provided by the primary operational system, or a hot-standby may be a system that is capable of providing a minimum amount of essential functionality during the time required to restore the primary operational data system. The time it takes after a disaster to restore full, or minimum, functionality of a data system, for example by bringing a hot-standby online, is referred to as recovery time. In an effort to minimize recovery time, and thereby downtime, a hot-standby system is typically in a state just short of fully operational. For example, a system architecture may be implemented in which all functional systems of the hot-standby are active and operational, and all system and data changes or updates occur in the primary operational system and the hot-standby at the exact same time. In such a case the only difference in the two systems may be that the primary is configured to respond to user requests and the secondary is not. In other hot-standby systems one or more functions may be disabled until mission critical systems of the hot-standby are observed to be operating normally, at which time the remaining functions may be brought online.

In many applications, data systems may be required to provide prompt responses to users and applications that rely on the data managed by the data system. Providers and designers of data systems may be required to guarantee a minimum average throughput over time, or an average maximum response time. The speed with which a data system responds to a request from a user or an application may be dependent on many factors, but all systems are limited in the number of requests they can handle in a given period of time. When a data system manages a relatively large amount of data, and supports a relatively large number of users or applications, during high workloads a request may be queued, buffered or rejected until sufficient system resources are available to complete the request. When this happens, average throughput goes down and average response time goes up. One solution to such a problem is to distribute the workload across multiple processing systems. This is known as load balancing.

One drawback to load balancing and HA systems is that they may require additional processing systems, which in turn have a high cost. It is often the case with certain data systems supporting critical functions of an organization that additional systems are needed to perform both load balancing and HA functionality to efficiently support continuous operations. Given the redundant nature of DR systems, they are often left undisturbed unless a disaster occurs. Thus, in some circumstances, it is desirable to implement and maintain a combination high availability/disaster recovery (HA/DR) system with load balancing that includes both a primary operational system and a hot-standby system, and potentially one or more tertiary systems. Such a combination system allows for load balancing of workload between the processing systems of both the primary operational system and the hot-standby system, without disrupting the ability of the HA/DR system to assume primary functionality in the event of a disaster.

FIG. 4 is a functional flow diagram illustrating anarchitecture400 to support load balancing between a primary database system, orprimary system405aand a secondary database system, orsecondary system405b, which serves as hot-standby toprimary system405a. Each of theprimary system405aand thesecondary system405bmay be a single instance system, similar todatabase system105 depicted inFIG. 1, or each may be a distributed variation ofdatabase system105 as depicted inFIG. 2. Such anarchitecture400 may be useful in a high availability data system, or in a disaster recovery system, or in a combination HA/DR system.

Each of theprimary system405aandsecondary system405bmay include a load balancing functionality. Such load balancing functionality may for example be contained within a distinctload balancing server470aor470b. But, such load balancing functionality may be managed by any suitable processing system. For example, theapplication server120 of the primary system may also manage the load balancing of requests issued to the application server of theprimary system405a, sending requests to thesecondary system405bas necessary to maintain a well distributed workload.

As depicted inFIG. 4, each of theprimary system405aand thesecondary system405bincludes aload balancing server470aand470bwhich respectively receive requests from user applications directed to theprimary system405aor thesecondary system405b. Such request may come from eitheradmin tools460 or web-basedtools450, or any other user application. Upon receiving a request a load balancing server, e.g.470a, determines how to distribute the workload. As depictedload balancing server470aroutes anSQL request465 fromadmin tools460 to theindex server110 of theprimary system405a, while routing anHTTP request455 from web-basedtools450 to theapplication server120 of thesecondary system405b.

Load balancing of resources between aprimary system405aand asecondary system405bcan give rise to a number of complicating issues. For example, if either of therequests455,465 requires writing to one or more data tables, or modifying a data table, then the twosystems405a,405bwill diverge. After many instances of write requests being distributed between theprimary system405aand thesecondary system405b, the two systems would be substantially different, and likely unusable. In another example, an application request, e.g.465, may perform a write transaction that is followed by a read transaction, e.g.455, related to the data written by thewrite request465. If the write request is allocated to theprimary system405a, the read request would obtain a different result depending on whether the subsequent read transaction is carried out by theprimary system405aor by thesecondary system405b.

Load balancing in a HA/DR system, by distributing a portion of the workload of a primary data system to a hot-standby or backup system must be done in a way that does not disturb the principal purpose of the backup system, which is to substantially eliminate downtime in a high availability system by enabling quick and efficient recovery of operations. In other words, as a rule load balancing cannot break the hot-standby. Given this principal purpose, any solution that enables load balancing of workload between a primary system and a backup system must maintain the backup system in an identical, or nearly identical, state as the primary system. Such a solution should also avoid or prohibit any actions which may cause the state of the backup system to substantially diverge from the state of the primary system. In this way, in the event of a partial or total failure of the primary system due to disaster, the backup system can failover to a primary system mode with minimal or no impact to client applications.

FIG. 5 depicts one possible solution to managing load balancing in a HA/DR system500. HA/DR system500 includes aprimary system505 and asecondary system510 and is capable of load balancing betweenprimary system505 andsecondary system510 without interfering with the hot-standby functionality of thesecondary system510. Each ofprimary system505 andsecondary system510 may be single instance database systems similar todatabase system105 depicted inFIG. 1, or a distributed variation ofdatabase system105 as depicted inFIG. 2. Furthermore, each ofprimary system505 andsecondary system510 may comprise less, more or all the functionality ascribed toindex server110,300,name server115,application server120, extendedstore server125,DDI server130,data provisioning server135, andstream cluster140. But, for simplicity of illustration HA/DR system500 has been simplified to highlight certain functionality by merely distinguishing betweenprocessing control555,560 and apersistence layer565,570 of eachrespective system505,510.

A collection of clients may each maintain an open connection to both theprimary system505 and thesecondary system510. For example,client515 maintains a read/write connection520 to theprimary system505 and a read onlyconnection525 to thesecondary system510. Alternatively,client515 may maintain a read/write connection with each of theprimary system505 and thesecondary system510, while processes within thesecondary system510 itself prohibit execution of any requests that require a write transaction upon the secondary system while it is in backup mode. Management of load balancing of the workload required by a client application executing atclient515 may be managed by theclient515 application itself. Alternatively, aclient515 application may submit a query request to theprimary system505. Aprocess control555 load balancing process executing onprocessor545 then may determine where the query should be executed and replies to theclient515 with instructions identifying which system theclient515 should issue the query to.

Primary system505 may include an in-memory database in which substantially all actively used data may be kept and maintained inmain memory535 so that operations can be executed without disk input/output operations (I/O), which requires accessing disk storage.

Active operations of applications withinprocessing control555 may causeprocessor545 to read and write data intomain memory535 or to disk in thepersistence layer565.Processing control555 applications can also causeprocessor545 to generate transaction logs (e.g., redo log, undo log, cleanup log, etc.) for capturing data transactions upon the database, whichprocessor545 then persists in thelog volumes585 anddata volumes575 respectively. As substantially all actively used data may reside in-memory,processing control555 may interact primarily with data held in main memory while only resorting todata volumes575 for retrieving and writing less often used data. Additional processes withinprocessing control555 may be executed byprocessor545 to ensure that in-memory data is persisted inpersistence layer565, so that the data is available upon restart or recovery.

Primary system505 may be the primary operational system for providing the various functionality necessary to support 24/7 operations for an organization.Secondary system510 may be a hot-standby, ready to come online with minimal recovery time so as to minimize downtime.Secondary system510 may be an identical physical system asprimary system505, and may be configured in a substantially identical manner in order to enable thesecondary system510 to provide all the same functionality asprimary system505. For example,processing control560 may include all the same applications and functionality asprocessing control555, andpersistence layer570 may includedata volumes580 andlog volumes590 that are configured in an identical manner asdata volumes575 andlog volumes585 respectively.Secondary system510 may also include an in-memory database kept and maintained primarily inmain memory540.

Primary system505 andsecondary system510 differ in that all requests, fromclient515 or otherwise, that require a write transaction are executed only inprimary system505.Primary system505 andsecondary system510 further differ in that all write transactions are prohibited by thesecondary system510. In order to propagate changes to the data or the underlying schema from theprimary system505 to thesecondary system510,processor545 also replicates530 transaction logs directly to theprocess control560 of thesecondary system510.Process control560 includes one or more applications that causeprocessor550 to then replay the transaction logs replicated from theprimary system505, thereby replaying the transactions at thesecondary system510. As transaction logs are replayed, the various transactions executed at the primary system become reflected in thesecondary system510. In order to ensure both the HA functionality and the load balancing functionality, replay of the transaction logs at the secondary system places data inmain memory540, and also persists any data committed in the primary system topersistence layer570 to be stored bydata volumes580. Replay of the transaction logs at thesecondary system510 may also results in the transaction logs being persisted inlog volumes590.

Transaction logs (e.g., redo logs, undo logs, cleanup logs, etc.) in thelog volumes585 may be replicated in different ways. Where maintaining a standby system in as close to the same state as the primary system is an important factor, logs may be replicated synchronously meaning that the primary system will not commit a transaction until the secondary successfully responds to the log replication. Such an arrangement slows performance of the primary system. Conversely, where performance of a primary system is a priority, logs may be replicated asynchronously, in which case the primary operation proceeds with committing transactions without waiting for a response. Various tradeoffs can be made between these two scenarios to achieve a proper level of performance while ensuring replication of critical data.

It will be appreciated from the detailed description above that such a secondary system in standby mode, such assecondary system510, can only be as current as its most recently replayed transaction logs. Transaction logs are replicated and replayed at thesecondary system510 only after a transaction executes in theprimary system505.Secondary system510, therefore, is always slightly behind an associatedprimary system515. Also, there is no guarantee that a query routed to the primary system in a load balancing effort will be executed before, during or after a particular transaction log is replayed. Thus, the state of theprimary system505 and the state of the secondary system will rarely if ever be identical. But, by addressing certain concerns,secondary system510 may be kept in a state substantially close to the same state as theprimary system505 such that the workload required by many operations can be supported by the secondary510.

With the HA/DR system500, an initial copy on theprimary system505 can be shipped to thesecondary system510 that can serve as a starting point, where both theprimary system505 and thesecondary system510 have identical data, before transaction log replay commences to synchronize all future changes from theprimary system505 to thesecondary system510.

As noted above, the data of the primary system505 (also referred to as the primary system data) can comprisedata volumes350,575 comprising a data store together with undo and cleanup log andrecovery log volumes352,590 comprising the recovery log. Other types of storage arrangements can be utilized depending on the desired configuration. The data store can comprise a snapshot of the corresponding database contents as of the last system savepoint. System savepoints (also known in the field of relational database servers as checkpoints) can be periodically or manually generated and provide a point at which the recovery log can be truncated.

The savepoint can, in some variations, include an undo log of transactions which were open in the savepoint and/or a cleanup log of transactions which were committed in the savepoint but not yet garbage collected (i.e., data which has been deleted by these transactions has been marked as deleted but has not been deleted in a physical manner to assure multiversion concurrency control).

The recovery log can comprise a log of all changes to the database contents (i.e., thedatabase system105, theprimary database505 and/or thesecondary database510, etc.) since the last system savepoint, such that when a database server is restarted, its latest state is restored by replaying the changes from the recovery log on top of the last system savepoint. Typically, in a relational database system, the previous recovery log is cleared whenever a system savepoint occurs, which then starts a new, empty recovery log that will be effective until the next system savepoint. While the recovery log is processed, a new cleanup log is generated which needs to be processed as soon as the commit is replayed to avoid a growing data area because of deleted but not garbage collected data.

For read access in arrangements having aprimary system505 and asecondary system510 such as illustrated and described in connection withFIGS. 4 and 5, a read transaction needs to able to see a consistent state of the database state. This conditions requires the blocking of garbage collection processes for such data which the read transaction could potentially see. As the garbage collection processing is part of the recovery log processing this would mean to block the recovery queues which would also mean that thesecondary system510 cannot be in sync with theprimary system510 anymore, resulting in inacceptable takeover times in case of a failure of the primary system.

As part of a database system recovery/restart, after the savepointed state of data is restored, and before processing of the recovery log commences, all cleanup logs can be iterated through and, in implementations using a history manager, passed to the history manager for asynchronous garbage collection processing.

In addition, it can be checked if there are older versions of the cleanup log present in the savepoint which need to be processed synchronously with regard to the recovery log. In such cases, recovery log processing can wait until garbage collection of old versions of cleanup logs finish. However, recovery log processing can commence when there are newer versions of cleanup logs for garbage collection. In cases in which no old versions of cleanup logs exist, recovery log replay can start immediately after the cleanup log from the savepoint has been passed to the history manager.

In some implementations, savepoints can be written during log replay by thesecondary system510. However, with some arrangements, it is not possible to write savepoints on thesecondary system510 in the same manner as on theprimary system510. In theprimary system505, the savepoint will, at the start of an exclusive phase, acquire a consistent change exclusive lock to ensure that it sees a consistent state of data (i.e., no consistent Change running, etc.). However, during recovery, the info of the consistent changes is missing, so the only position at which no consistent change is known to be running is a savepoint log entry that is written by the primary savepoint (i.e., the savepoint on the primary system505). Synchronized redo replay entry was adopted to ensure that first, all redo operations are executed up to this savepoint log entry log position, then the savepoint is executed, and afterwards the replay continues. With larger database systems with high load, it can take several minutes to execute the savepoint, which will block the log replay on thesecondary system510, up to the point that the replay cannot be executed on thesecondary system510 at the same speed as it is generated on theprimary system505.

A typical savepoint can have three phases. First, in the pre-critical phase all modified pages can be iterated through and flushed to physical persistence (i.e., disk, etc.). Second, a critical phase can block all parallel updates and triggers all the remaining I/O to ensure the consistent state of data. Lastly, a post-critical phase can wait for all remaining I/O.

With the primary system505 (i.e., the online database system, etc.), only the second phase can have an influence on the parallel workload. And this phase can be short, as most of the pages should already be flushed in the first phase and I/O is only triggered for the remaining pages to ensure the consistent state of data and do not wait for I/O. During log replay, with conventional systems, all three phases can be executed synchronously which results in the log replay being blocked until all three phases are complete.

As noted above, with the current arrangement, the savepoint can be asynchronously executed during log replay. The first phase described above can be skipped such that log replay right can be continued after second phase is finished, so there is no need to wait for any I/O. This optimization, while providing enhanced recovery time, can lead to increased memory consumption due to the shadow pages for all the page I/O that is triggered during the second phase. To address this situation, a continuous page flusher can be used that runs in parallel to the recovery and can actively flush modified pages to disk, to compensate the first phase so that the amount of pages that have to be flushed in the savepoint can be limited. A predefined time threshold can be set such that all modified pages that have not been modified since the predefined time threshold are flushed to disk (i.e., a time window can be defined which specifies when to flush pages to disk, etc.). The page flusher can be, for example, a thread that runs in a defined time interval and flushes all modified pages that are not modified for a defined time threshold.

It is explicitly allowed and expected that read statements that are routed to thesecondary system510 can see an older state of data (log replay can be lag behind the primary system505). The goal here is that the visibility of thesecondary system510 can be as possible to theprimary system505. The user can specify a maximum acceptable result lag for thesecondary system510 relative to the primary system505 (e.g., 1 minute, etc.). If the replay by thesecondary system510 is lagging behind more than 1 minute, the read statement will not be executed on thesecondary system510 but rerouted back to theprimary system505. With some savepoint during recovery implementations, every savepoint (e.g., every 5 minutes, etc.) the result lag can increase as long as the log replay is blocked by the savepoint, and this blocking can last several minutes in systems with a high update load. Such an arrangement can lead to a situation in which the customer cannot utilize thesecondary system510, as thesecondary system510 does not meet the required maximum result lag. In contrast, with the current optimization, given the independence of the savepoint, there is no substantial influence on the result lag.

FIG. 6 is a process flow diagram600 in which, at610, recovery of a database is initiated by taking the database system offline. Thereafter, at620, recovery operations specified by a redo log of the database system are replayed. During the replay, at630, updates to pages implicated by the recovery operations are blocked. Further, in parallel at640, modified pages are flushed to physical disk storage. Subsequently, at650, the database system is brought online after all of the recovery operations are replayed.

One or more aspects or features of the subject matter described herein can be realized in digital electronic circuitry, integrated circuitry, specially designed application specific integrated circuits (ASICs), field programmable gate arrays (FPGAs) computer hardware, firmware, software, and/or combinations thereof. These various aspects or features can include implementation in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which can be special or general purpose, coupled to receive data and instructions from, and to transmit data and instructions to, a storage system, at least one input device, and at least one output device. The programmable system or computing system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other.

These computer programs, which can also be referred to as programs, software, software applications, applications, components, or code, include machine instructions for a programmable processor, and can be implemented in a high-level procedural language, an object-oriented programming language, a functional programming language, a logical programming language, and/or in assembly/machine language. As used herein, the term “machine-readable medium” refers to any computer program product, apparatus and/or device, such as for example magnetic discs, optical disks, memory, and Programmable Logic Devices (PLDs), used to provide machine instructions and/or data to a programmable processor, including a machine-readable medium that receives machine instructions as a machine-readable signal. The term “machine-readable signal” refers to any signal used to provide machine instructions and/or data to a programmable processor. The machine-readable medium can store such machine instructions non-transitorily, such as for example as would a non-transient solid-state memory or a magnetic hard drive or any equivalent storage medium. The machine-readable medium can alternatively or additionally store such machine instructions in a transient manner, such as for example as would a processor cache or other random access memory associated with one or more physical processor cores.

To provide for interaction with a user, the subject matter described herein may be implemented on a computer having a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to the user and a keyboard and a pointing device (e.g., a mouse or a trackball) and/or a touch screen by which the user may provide input to the computer. Other kinds of devices may be used to provide for interaction with a user as well; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.

In the descriptions above and in the claims, phrases such as “at least one of” or “one or more of” may occur followed by a conjunctive list of elements or features. The term “and/or” may also occur in a list of two or more elements or features. Unless otherwise implicitly or explicitly contradicted by the context in which it is used, such a phrase is intended to mean any of the listed elements or features individually or any of the recited elements or features in combination with any of the other recited elements or features. For example, the phrases “at least one of A and B;” “one or more of A and B;” and “A and/or B” are each intended to mean “A alone, B alone, or A and B together.” A similar interpretation is also intended for lists including three or more items. For example, the phrases “at least one of A, B, and C;” “one or more of A, B, and C;” and “A, B, and/or C” are each intended to mean “A alone, B alone, C alone, A and B together, A and C together, B and C together, or A and B and C together.” In addition, use of the term “based on,” above and in the claims is intended to mean, “based at least in part on,” such that an unrecited feature or element is also permissible.

The subject matter described herein can be embodied in systems, apparatus, methods, and/or articles depending on the desired configuration. The implementations set forth in the foregoing description do not represent all implementations consistent with the subject matter described herein. Instead, they are merely some examples consistent with aspects related to the described subject matter. Although a few variations have been described in detail above, other modifications or additions are possible. In particular, further features and/or variations can be provided in addition to those set forth herein. For example, the implementations described above can be directed to various combinations and subcombinations of the disclosed features and/or combinations and subcombinations of several further features disclosed above. In addition, the logic flows depicted in the accompanying figures and/or described herein do not necessarily require the particular order shown, or sequential order, to achieve desirable results. Other implementations may be within the scope of the following claims.

Claims (15)

What is claimed is:

1. A computer-implemented method comprising:

initiating asynchronous execution of a savepoint as part of a recovery of a database system by taking the database system offline, the database system comprising an in-memory database storing data in main memory and having associated physical disk storage;

replaying recovery operations specified by a redo log of the database system;

blocking updates to modified pages in the main memory that are implicated by the recovery operations during the replaying;

triggering, during the replaying, any remaining I/O operations during blocking of the updates to the modified pages implicated by the recovery operations;

flushing modified pages from the main memory to physical disk storage in parallel to the blocking of the updates to pages in the main memory implicated by the recovery operations;

executing recovery operations specified by the redo log up to a savepoint redo log entry position and then executing the savepoint; and

bringing the database system online after all of the recovery operations are replayed;

wherein:

the savepoint comprises two phases: a first phase during which the modified pages are flushed from the main memory to physical disk storage and, in parallel, updates to pages in the main memory that are implicated by the recovery operations specified by the redo log are blocked and a second phase that occurs subsequent to the first phase during which remaining I/O is completed;

replay of recovery operations continues after the first phase of savepoint is executed.

2. The method ofclaim 1, wherein pages modified earlier than a pre-defined time threshold are flushed from the main memory to the physical disk storage once such pre-defined time threshold is exceeded.

3. The method ofclaim 1, wherein the database system comprises a primary database system and an associated secondary database system, wherein read statements are routed to the secondary database system until such time as a result lag between the primary database system is beyond a pre-defined lag threshold relative to the secondary database system.

4. The method ofclaim 3, wherein both of the primary database system and the associated secondary database system are in-memory databases storing data in main memory and each having associated physical disk storage.

5. The method ofclaim 1, wherein the modified pages are flushed using a continuous disk flusher.

6. The method ofclaim 5, wherein the continuous disk flusher is a thread that runs in a defined time interval and flushes all modified pages that are not modified for a defined time threshold.

7. A system comprising:

at least one data processor; and

memory storing instructions which, when executed by the at least one data processor, result in operations comprising:

initiating asynchronous execution of a savepoint as part of a recovery of a database system by taking the database system offline, the database system comprising an in-memory database storing data in main memory and having associated physical disk storage;

replaying recovery operations specified by a redo log of the database system;

blocking updates to modified pages in the main memory that are implicated by the recovery operations during the replaying;

triggering, during the replaying, any remaining I/O operations during blocking of the updates to the modified pages implicated by the recovery operations;

flushing modified pages from the main memory to physical disk storage in parallel to the blocking of the updates to pages in the main memory implicated by the recovery operations;

executing recovery operations specified by the redo log up to a savepoint redo log entry position and then executing the savepoint; and

bringing the database system online after all of the recovery operations are replayed;

wherein:

the savepoint comprises two phases: a first phase during which the modified pages are flushed from the main memory to physical disk storage and, in parallel, updates to pages in the main memory that are implicated by the recovery operations specified by the redo log are blocked and a second phase that occurs subsequent to the first phase during which remaining I/O is completed;

replay of recovery operations continues after the first phase of savepoint is executed.

8. The system ofclaim 7, wherein pages modified earlier than a pre-defined time threshold are flushed from the main memory to the physical disk storage once such pre-defined time threshold is exceeded.

9. The system ofclaim 7, wherein the database system comprises a primary database system and an associated secondary database system, wherein read statements are routed to the secondary database system until such time as a result lag between the primary database system is beyond a pre-defined lag threshold relative to the secondary database system.

10. The system ofclaim 9, wherein both of the primary database system and the associated secondary database system are in-memory databases storing data in main memory and each having associated physical disk storage.

11. The system ofclaim 7, wherein the modified pages are flushed using a continuous disk flusher.

12. The system ofclaim 11, wherein the continuous disk flusher is a thread that runs in a defined time interval and flushes all modified pages that are not modified for a defined time threshold.

13. A computer program product comprising non-transitory machine readable storage medium storing instructions which, when executed by at least one data processor forming part of at least one computing system, result in operations comprising:

initiating asynchronous execution of a savepoint as part of a recovery of a database system by taking the database system offline, the database system comprising a primary database system and a secondary database system, the secondary database system comprising an in-memory database storing data in main memory and having associated physical disk storage;

replaying recovery operations specified by a redo log of the secondary database system;

blocking updates to modified pages in the main memory that are implicated by the recovery operations during the replaying;

triggering, during the replaying, any remaining I/O operations during blocking of the updates to the modified pages implicated by the recovery operations;

flushing modified pages from the main memory to physical disk storage in parallel to the blocking of the updates to modified pages in the main memory implicated by the recovery operations;

executing recovery operations specified by the redo log up to a savepoint redo log entry position and then executing the savepoint; and

bringing the secondary database system online after all of the recovery operations are replayed;

wherein:

the savepoint comprises two phases: a first phase during which the modified pages are flushed from the main memory to physical disk storage and, in parallel, updates to pages in the main memory that are implicated by the recovery operations specified by the redo log are blocked and a second phase that occurs subsequent to the first phase during which remaining I/O is completed;

replay of recovery operations continues after the first phase of savepoint is executed.

14. The computer program product ofclaim 13, wherein pages modified earlier than a pre-defined time threshold are flushed to the physical disk storage once such pre-defined time threshold is exceeded.

15. The computer program product ofclaim 13, wherein the operations further comprise:

wherein the modified pages are flushed using a continuous disk flusher that is a thread that runs in a defined time interval and flushes all modified pages that are not modified for a defined time threshold.

Images